{"id":"PYSEC-2026-1379","summary":"Flask-AppBuilder open redirect vulnerability using HTTP host injection","details":"### Impact\nFlask-AppBuilder prior to 4.6.2 would allow for a malicious unauthenticated actor to perform an open redirect by manipulating the Host header in HTTP requests.\n \n### Patches\nFlask-AppBuilder 4.6.2 introduced the `FAB_SAFE_REDIRECT_HOSTS` configuration variable, which allows administrators to explicitly define which domains are considered safe for redirection.\n\nExamples:\n```\nFAB_SAFE_REDIRECT_HOSTS = [\"yourdomain.com\", \"sub.yourdomain.com\", \"*.yourcompany.com\"]\n```\n\n### Workarounds\nUse a Reverse Proxy to Enforce Trusted Host Headers\n\n### References\n_Are there any links users can visit to find out more?_","aliases":["CVE-2025-32962","GHSA-99pm-ch96-ccp2"],"modified":"2026-07-07T17:47:36.773629556Z","published":"2026-07-07T16:02:52.688627Z","references":[{"type":"WEB","url":"https://github.com/dpgaspar/Flask-AppBuilder/security/advisories/GHSA-99pm-ch96-ccp2"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2025-32962"},{"type":"WEB","url":"https://github.com/dpgaspar/Flask-AppBuilder/commit/32eedbbb5cb483a3e782c5f2732de4a6a650d9b6"},{"type":"PACKAGE","url":"https://github.com/dpgaspar/Flask-AppBuilder"},{"type":"PACKAGE","url":"https://pypi.org/project/flask-appbuilder"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-99pm-ch96-ccp2"}],"affected":[{"package":{"name":"flask-appbuilder","ecosystem":"PyPI","purl":"pkg:pypi/flask-appbuilder"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"4.6.2"}]}],"versions":["0.1.10","0.1.11","0.1.12","0.1.13","0.1.14","0.1.15","0.1.16","0.1.17","0.1.18","0.1.19","0.1.20","0.1.21","0.1.22","0.1.23","0.1.24","0.1.25","0.1.26","0.1.27","0.1.28","0.1.29","0.1.3","0.1.33","0.1.34","0.1.35","0.1.36","0.1.37","0.1.38","0.1.4","0.1.43","0.1.44","0.1.45","0.1.46","0.1.47","0.1.5","0.1.6","0.1.7","0.1.8","0.1.9","0.10.0","0.10.1","0.10.2","0.10.3","0.10.4","0.10.5","0.10.6","0.10.7","0.2.0","0.2.1","0.2.2","0.3.0","0.3.1","0.3.10","0.3.11","0.3.12","0.3.13","0.3.14","0.3.15","0.3.16","0.3.17","0.3.2","0.3.3","0.3.4","0.3.5","0.3.6","0.3.7","0.3.8","0.3.9","0.4.0","0.4.1","0.4.2","0.4.3","0.5.0","0.5.1","0.5.2","0.5.3","0.5.4","0.5.5","0.5.6","0.6.1","0.6.10","0.6.11","0.6.12","0.6.13","0.6.14","0.6.2","0.6.3","0.6.4","0.6.5","0.6.6","0.6.7","0.6.8","0.6.9","0.7.0","0.7.1","0.7.2","0.7.3","0.7.4","0.7.5","0.7.6","0.7.7","0.7.8","0.8.0","0.8.1","0.8.2","0.8.3","0.8.4","0.8.5","0.9.0","0.9.1","0.9.2","0.9.3","1.0.0","1.0.1","1.1.0","1.1.1","1.1.2","1.1.3","1.10.0","1.11.0","1.11.1","1.12.0","1.12.1","1.12.2","1.12.3","1.12.4","1.12.5","1.13.0","1.13.1","1.2.0","1.2.1","1.3.0","1.3.1","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.5.0","1.6.0","1.6.1","1.6.2","1.6.3","1.7.0","1.7.1","1.8.0","1.8.1","1.9.0","1.9.1","1.9.2","1.9.3","1.9.4","1.9.5","1.9.6","2.0.0","2.1.0","2.1.1","2.1.10","2.1.11","2.1.12","2.1.13","2.1.2","2.1.3","2.1.4","2.1.5","2.1.6","2.1.7","2.1.8","2.1.9","2.2.0","2.2.0rc1","2.2.0rc2","2.2.1","2.2.1rc1","2.2.1rc2","2.2.1rc3","2.2.2","2.2.2rc1","2.2.2rc2","2.2.2rc3","2.2.3","2.2.3rc1","2.2.3rc2","2.2.3rc3","2.2.3rc4","2.2.3rc5","2.2.3rc6","2.2.4","2.2.4rc1","2.3.0","2.3.0rc1","2.3.0rc2","2.3.0rc3","2.3.0rc4","2.3.1","2.3.1rc1","2.3.2","2.3.2rc1","2.3.3","2.3.3rc1","2.3.3rc2","2.3.3rc3","2.3.4","2.3.4rc1","3.0.0","3.0.0rc1","3.0.0rc2","3.0.0rc3","3.0.0rc4","3.0.1","3.0.1rc1","3.1.0","3.1.0rc1","3.1.0rc2","3.1.0rc3","3.1.1","3.1.1rc1","3.1.1rc2","3.1.1rc3","3.2.0","3.2.0rc1","3.2.0rc2","3.2.1","3.2.1rc1","3.2.2","3.2.2rc1","3.2.3","3.2.3rc1","3.2.3rc2","3.3.0","3.3.0rc1","3.3.1","3.3.1rc1","3.3.2","3.3.2rc1","3.3.3","3.3.3rc1","3.3.4","3.3.4rc1","3.4.0","3.4.0rc1","3.4.0rc2","3.4.1","3.4.1rc1","3.4.1rc2","3.4.1rc3","3.4.2","3.4.2rc1","3.4.3","3.4.3rc1","3.4.3rc2","3.4.4","3.4.4rc1","3.4.5","3.4.5rc1","4.0.0","4.0.0rc1","4.0.0rc2","4.0.0rc3","4.0.1rc1","4.1.0","4.1.1","4.1.1rc1","4.1.2","4.1.2rc1","4.1.3","4.1.3rc1","4.1.4","4.1.4rc1","4.1.5","4.1.5rc1","4.1.6","4.1.6rc1","4.1.7rc1","4.2.0","4.2.0rc1","4.2.1","4.2.1rc1","4.2.2rc1","4.3.0","4.3.0rc1","4.3.1","4.3.10","4.3.10rc1","4.3.11","4.3.11rc1","4.3.1rc1","4.3.2","4.3.2rc1","4.3.2rc2","4.3.3","4.3.3rc1","4.3.3rc2","4.3.4","4.3.4rc1","4.3.5","4.3.5rc1","4.3.5rc2","4.3.6","4.3.6rc1","4.3.7","4.3.7rc1","4.3.8","4.3.8rc1","4.3.9","4.3.9rc1","4.4.0","4.4.0rc1","4.4.1","4.4.1rc2","4.5.0","4.5.0rc1","4.5.1","4.5.1rc1","4.5.2","4.5.2rc1","4.5.3","4.5.3rc1","4.5.4","4.5.4rc1","4.5.4rc2","4.5.5","4.5.5rc1","4.5.5rc2","4.6.0","4.6.0.dev1","4.6.0.dev2","4.6.0rc1","4.6.1","4.6.1rc1","4.6.1rc2","4.6.1rc3","4.6.2rc1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/flask-appbuilder/PYSEC-2026-1379.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N"}]}